remcos | 04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Size

988KB
MD5

b2618fbb2e344dbdc7d4b33947d71531
SHA1

a56c4724edef9a8fef490520ecaeb30c8356e314
SHA256

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
SHA512

1ca8727770d6458785c1206e81fa6f69675afb521944a9206197bcc9737a81afea2a462bf93bbfbe836b841038e01c354fd9d2abdd902f13187a970a4ede6b57
SSDEEP

24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2072	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 1716 set thread context of 3988	1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	109

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2072	powershell.exe
2792	powershell.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2792	powershell.exe
2072	powershell.exe
3504	msedge.exe
3504	msedge.exe
4652	msedge.exe
4652	msedge.exe
956	identity_helper.exe
956	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2792	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	99
PID 3716 wrote to memory of 2792	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	99
PID 3716 wrote to memory of 2792	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	99
PID 3716 wrote to memory of 2072	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	101
PID 3716 wrote to memory of 2072	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	101
PID 3716 wrote to memory of 2072	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	101
PID 3716 wrote to memory of 4056	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	103
PID 3716 wrote to memory of 4056	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	103
PID 3716 wrote to memory of 4056	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	103
PID 3716 wrote to memory of 4140	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	105
PID 3716 wrote to memory of 4140	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	105
PID 3716 wrote to memory of 4140	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	105
PID 3716 wrote to memory of 3628	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	106
PID 3716 wrote to memory of 3628	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	106
PID 3716 wrote to memory of 3628	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	106
PID 3716 wrote to memory of 3548	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	107
PID 3716 wrote to memory of 3548	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	107
PID 3716 wrote to memory of 3548	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	107
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 3716 wrote to memory of 1716	3716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	108
PID 1716 wrote to memory of 3988	1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	109
PID 1716 wrote to memory of 3988	1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	109
PID 1716 wrote to memory of 3988	1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	109
PID 1716 wrote to memory of 3988	1716	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	109
PID 3988 wrote to memory of 4652	3988	iexplore.exe	110
PID 3988 wrote to memory of 4652	3988	iexplore.exe	110
PID 4652 wrote to memory of 4356	4652	msedge.exe	111
PID 4652 wrote to memory of 4356	4652	msedge.exe	111
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112
PID 4652 wrote to memory of 3840	4652	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
"C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DGlxtFUfY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79AF.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  PID:4140
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1716
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8ab9346f8,0x7ff8ab934708,0x7ff8ab934718
        5⤵
        
        PID:4356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:3840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        
        PID:2728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
        5⤵
        
        PID:4848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
        5⤵
        
        PID:3352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
        5⤵
        
        PID:4884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        5⤵
        
        PID:4496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        5⤵
        
        PID:2632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
        5⤵
        
        PID:1128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16242673220495527174,7178819342714582047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        5⤵
        
        PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ab9346f8,0x7ff8ab934708,0x7ff8ab934718
        5⤵
        
        PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e046dea693c31949b57138063de86233

SHA1
c0e42ff21697f56de8f385be9f29ae2e3fde9b2f

SHA256
92b825b9a828690a39ff2d65eae9dcc25061b2456e601ede9ea66dcb7a5becb0

SHA512
6a349d6e475149e05237bcff08bbd77c0f4979691f5417efb5edfc4be784f1fa990281bf29efe35dee05dd3ee2a9d45aa999bfb3baf1185f0d4d41b675eadf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46a7239bedf98bb42748c0f09fa705bd

SHA1
ed3210fe9b442900e2cc5444412e1a17cf19b9a0

SHA256
0c9875e9ddc2629c7eae1aa09bd4cf4bd97b30ced9997ffad9c207098fc4d3ad

SHA512
e2d176b9b2a95e296f69d1c6b073832d249c0d3bde64cb7eb20f81691398303d5d6571a757d8a03a55066135e867ee3c601443b76ced603c6802ec28cb043f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8409d687bb2e99c2ff5851e4d661f222

SHA1
47f7e28ce9e79a097db6babf4e2b4f9be7929936

SHA256
2b042405fcea705d87652c8094ce30f758e5a51d3c18b067f01d469af39221f6

SHA512
00cd9bebdb505bb74718ba4e8ff4e2638708a2ac7ec7a1c81457316d579b44df696ccd732970222d5fdb6bb3cd07cf010b9ec304a744c1cb6c2d460d5b7daa6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f6127b69ad60452fbd473613758840c

SHA1
f23363f0b8ce4e348aaac5ffb70c002425c86b4c

SHA256
1c07a5c10851a25bc71db10ff7873a90eb937b6608ad0ebde4e3b20e518a5b3f

SHA512
653da64449591aae3729ed0df8146ff25db79337bf36946529f2a3b4af752bef9faa0be14d0bef9bcda63d5e50e5193c06f84393b13273f71e436bc16ea85ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
570dd23f47ff24a64ae70f660131b7e8

SHA1
ebfac7014e5200421ae2385ff6b7b365e39026f4

SHA256
bdd4e2c2d992a66c57c55747bb17c817349df982f9d59a045d2679b67b8f7bd6

SHA512
a151d752657e8d933a064604b84c6c4f18234b2f79a09c66c4101d91a95f2a8315294d551509d88f84ce18765d37fe828061a86f32bda8f334c50d6df05b9486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58de36.TMP

Filesize
371B

MD5
81a4a2065fc56ea396c9f3d249a658af

SHA1
be7a0e566954164a467f55a090117c953f628855

SHA256
27d94b11f55266bb37bf1512a2c685a47ab120c81107bbfbb846c3b60f8b00c3

SHA512
26349dd7ee8d62e44d9df9bafbfea7c199fa111664cde9c64e8138678cf63bd7b99038227622e09d0958f99c703d841eca6f16ce58fad901c0b72b840048d10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2ca8dcb101a5e1d0dfc5c277036273d

SHA1
3fd98d6de3c84639fe4b6a45b241f778ddbf51b8

SHA256
e29c54dc683d7ae4f949582bdd216885f45a81da3b8387bfd288968fca26ed86

SHA512
06583a006e9784f183fbf4a511d484e43c1a585c67696d454afcbe8669ad6e7566c774a89ef33f90db5fe31ef41cb185a3ecbe08db5a08d9d972847e1add5ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c480dcbbb9ce87e4bbb0a3f6e8c0ebf2

SHA1
1f8fb620cd6fa743ede4c3e18d02be97b58d968a

SHA256
b4f0e6111f8a566f7bd7585d59f7178c6bd6bef23e4ebe718020da560dff6f34

SHA512
23d2dc937518e5c7dfbd5b3a50403fa6963cb2366a5adeecdbd810b6f9a9e85d0668a5282de13c8aa805c78503b03fc3122d45e0fdccdf0e20d17f4b054f839a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ddkziykz.cfc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79AF.tmp

Filesize
1KB

MD5
b8013e9deb7a6ee41f9a663624f56eb8

SHA1
3665bbfa1baa0d903dfd9adba42ea4e8a775157b

SHA256
b40c6e2fca1650ed59646914faf623f0e038ba1622780b4cacef6ec0e75545d5

SHA512
b757222b6fbb33db6503f8336dc876c24562e22f727f3b86fc3fc830193871571293b224132e4a5d77051efc378540cb54b789551986ca440d29a3a2efe7c4c6

Download Submit
memory/1716-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1716-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-24-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2072-97-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/2072-25-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2072-64-0x000000006F1D0000-0x000000006F21C000-memory.dmp

Filesize
304KB

Download
memory/2072-103-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/2072-104-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/2072-105-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/2072-108-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2072-80-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/2072-76-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/2072-75-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/2792-19-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-18-0x0000000004BE0000-0x0000000005208000-memory.dmp

Filesize
6.2MB

Download
memory/2792-63-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/2792-74-0x0000000006B50000-0x0000000006BF3000-memory.dmp

Filesize
652KB

Download
memory/2792-53-0x000000006F1D0000-0x000000006F21C000-memory.dmp

Filesize
304KB

Download
memory/2792-22-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/2792-51-0x0000000005A90000-0x0000000005ADC000-memory.dmp

Filesize
304KB

Download
memory/2792-77-0x0000000006D90000-0x0000000006D9A000-memory.dmp

Filesize
40KB

Download
memory/2792-78-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/2792-49-0x0000000005A00000-0x0000000005A1E000-memory.dmp

Filesize
120KB

Download
memory/2792-112-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-31-0x0000000005410000-0x0000000005764000-memory.dmp

Filesize
3.3MB

Download
memory/2792-15-0x0000000002100000-0x0000000002136000-memory.dmp

Filesize
216KB

Download
memory/2792-23-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/2792-21-0x0000000004A30000-0x0000000004A52000-memory.dmp

Filesize
136KB

Download
memory/2792-52-0x0000000005F50000-0x0000000005F82000-memory.dmp

Filesize
200KB

Download
memory/2792-16-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-17-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3716-7-0x0000000005BA0000-0x0000000005BB8000-memory.dmp

Filesize
96KB

Download
memory/3716-10-0x0000000008C20000-0x0000000008CE4000-memory.dmp

Filesize
784KB

Download
memory/3716-50-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3716-9-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3716-8-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/3716-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/3716-6-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/3716-5-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3716-4-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/3716-3-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/3716-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/3716-1-0x0000000000E00000-0x0000000000EFE000-memory.dmp

Filesize
1016KB

Download
memory/3988-48-0x0000000000620000-0x000000000071E000-memory.dmp

Filesize
1016KB

Download